Anthem cyberattack perpetrated by foreign government, officials say

'The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyber attacks on insurers, much as the President did in response to Russian government sponsored cyber hacking.'

The hacker who targeted Anthem in early 2015, exposing more than 78 million customer records in one of the largest healthcare breaches ever, was acting on behalf of a foreign government, investigators from the the California Department of Insurance say.

Anthem is currently spending more than $260 million dollars for security improvements and remedial actions in response to this breach, the department said in releasing the examination findings and settlement agreement Friday.

"In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government," said Insurance Commissioner Dave Jones, who was among seven insurance commissioners leading the national investigation.

Jones and the department did not name the foreign government nor identity of the attacker.

The team determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government, the department said. Notably, the exam team also advised that previous attacks associated with this foreign government have not resulted in personal information being transferred to non-state actors.

"Insurers and regulators alone cannot stop foreign government assisted cyber attacks," Jones said. "The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyber attacks on insurers, much as the President did in response to Russian government sponsored cyber hacking in our recent presidential election. "

Anthem agreed to make a number of enhancements to its information security systems, and also agreed to provide credit protection to all consumers whose information was compromised.

"This was one of the largest cyber hacks of an insurance company's customer data," Jones said. "Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach."

The cyber breach was first discovered by Anthem on January 27, 2015, according to the department.

In early February 2015, Anthem and its affiliates announced the company had suffered a major breach, which compromised 78.8 million consumer records, including records of at least 12 million minors.

The data breach began on February 18, 2014, when a user within one of Anthem's subsidiaries opened a phishing email containing malicious content, according to the investigation by the examination team and a separate internal investigation by Mandiant, an information security firm hired by Anthem. Opening the email permitted the download of malicious files to the user's computer and allowed hackers to gain remote access to that computer and at least 90 other systems within the Anthem enterprise, including Anthem's data warehouse.

The lead insurance commissioners employed an examination team composed of the cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services.

The team focused its investigation on Anthem's pre-breach response preparedness, the company's response adequacy at the time of the breach, and their post-breach response and corrective actions.

The team found Anthem had taken reasonable measures prior to the data breach to protect its data and employed a remediation plan resulting in a rapid and effective response to the breach once it was discovered, the department said.

The team noted Anthem's exploitable vulnerabilities, worked with Anthem to develop a plan to address those vulnerabilities, and conducted a penetration test exercise to validate the strength of its corrective measures. As a result, the team found Anthem's improvements to its cybersecurity protocols and planned improvements were reasonable.

Within two weeks of discovering the breach and following discussions with the lead states, Anthem hired AllClear ID, a consumer credit protection company, to offer credit protection services to all breach-affected consumers for a two-year period.

Additionally, as a result of this multi-state settlement, Anthem has agreed to offer a credit protection solution to all minors who were under age 18 when the security breach occurred.

Leading the national investigation were insurance commissioners from California, Indiana - which is the principal domiciliary regulator for Anthem and chair of the lead commissioners' task force - Maine, Missouri, New Hampshire, North Dakota and South Carolina.

In addition, 40 other state and territorial insurance commissioners joined in the agreement as participating jurisdictions.